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Abstract. In this paper we design a stream cipher that uses the alge- 
braic structure of the multiplicative group 7Z*^ (where p is a big prime 
number used in ElGamal algorithm), by defining a quasigroup of order 
p — 1 and by doing quasigroup string transformations. The cryptograph- 
ical strength of the proposed stream cipher is based on the fact that 
breaking it would be at least as hard as solving systems of multivari- 
ate polynomial equations modulo big prime number p which is NP-hard 
problem and there are no known fast randomized or deterministic algo- 
rithms for solving it. Unlikely the speed of known ciphers that work in 
7Z*^ for big prime numbers p, the speed of this stream cipher both in en- 
cryption and decryption phase is comparable with the fastest symmetric- 
key stream ciphers. 
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1 Introduction 



From the point of view how encryption algorithms encrypt information that 
is repeated several times during the phase of communication, they are divided 
on stream ciphers and block ciphers. While block ciphers always give the same 
output of cipher texts for the same input blocks of plain text, the stream ciphers 
give different outputs for the same sequences of plain text. On the other side, 
depending on the type of the keys used in cryptographic algorithm, and the 
way the keys are used, there is another classification of encryption algorithms: 
symmetric-key and public-key algorithms. Symmetric-key algorithms need the 
correspondents in the communication to share a same key that is previously 
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exchanged through some secure channel that is out of the scope of the definition 
of the algorithm, while in public-key algorithms the problem of exchanging the 
communication key is a part of the algorithm and no secure channel is necessary 
for that purpose. 

Stream cipher algorithms can be either symmetric-key or public-key. Regard- 
ing the speed of encryption and decryption procedures, symmetric-key stream ci- 
phers are much more faster then public-key ones. That is because the symmetric- 
key stream ciphers usually use fast register operations such as shifting, rotation, 
and bit by bit logical operations, while the most popular and known public- key 
algorithms usually use modular exponentiation. Thus, the public-key algorithms 
are around 1000 times slower then symmetric-key algorithms. 

A well known public-key stream cipher is Blum-Goldwasser probabilistic 
public- key encryption scheme Even though the speed of that algorithm in 
encryption phase is much faster then RSA encryption, the speed of that algo- 
rithm in decryption phase is similar or in some cases even slower then the speed 
of RSA algorithm, ([2] p. 310-311). In fact the lack of the speed of public-key 
stream ciphers is one of the main reasons why they are not widely used in stream 
communication. 

Diffie-Hellman algorithm was proposed in 1976 and introduced the concept 
of public-key cryptography. That algorithm usually is used for establishing a key 
exchange between two correspondents, and then, the communication is usually 
continued by some symmetric fast algorithm (either block or stream cipher). 
In 1985 ElGamal proposed a public-key cryptosystem based on DifRc-Hellman 
algorithm ^ . One of the disadvantages of ElGamal algorithm is that cipher text 
is two times longer then corresponding plain text, which makes it unsuitable for 
using it as a stream cipher. 

In this paper beside the theory of finite fields we use also the theory of 
quasigroups and Latin Squares. Although quasigroups (or Latin squares) are 
used in design of many modern symmetric cryptographic algorithms |S] , [S] they 
are not in the main stream of cryptographic paradigms. During the last 10 years 
several cryptographic algorithms were developed based on quasigroups |7j, [S], 
0. Those algorithms base their security on assumptions that other problems 
such as factoring of natural numbers or discrete logarithm problems can not 
be solved in polynomial time - and thus have solid theoretical ground for their 
security. However, for all of those algorithms, because they usually use sets of 
Latin squares (quasigroups), their implementation is several orders of magnitude 
slower than other cryptographic algorithms in their category, based usually on 
bit manipulation and shifting registers. 

Excellent introductory materials about theory of quasigroups the reader can 
find in |10| and jll| and some applications of quasigroups and Latin squares in 

m, m, m, m 

In cryptographic algorithms introduced in and ^7], and the following 
papers JSIi d]i 120] > [21] and [22] the authors use quasigroups to define so- 
called "quasigroup string transformations" . By those algorithms they define a 
stream cipher whose principles are used in this paper. For effective encryption 
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and decryption, the quasigroup stream cipher uses a set of leaders that are in fact 
the secret and symmetric key. However, quasigroups used in those algorithms are 
of the order from 16 to 256, and complete multiplicative table have to be known, 
before encryption/decryption starts. 

In the paper in order to solve the problem of fast generation of a quasi- 
groups of order p — I where p is a prime number, authors propose a fast way 
for generating a quasigroups by knowing only the first row in the multiplicative 
tabic of the quasigroup. That first row is in fact a permutation of the elements 
= TZp \ {0} = {1, 2, — 1} and by knowing only that permutation it is 
possible to define the product of any two elements such that a quasigroup will 
be formed. 

In this paper we will define a stream cipher that in its initialization phase 
uses ElGamal algorithm, then the encryption is made by using quasigroup string 
transformations and the definition of a quasigroup is based by knowing only one 
permutation in the set of "ZZi*^. 

The organization of the paper is following: In Section 2 we will give basic 
definitions of the ElGamal algorithm, quasigroup stream cipher and fast quasi- 
group definition from a known permutation. In Section 3 we will define the new 
stream cipher and we will give an example with a small value of p, in Section 
4 we will examine the cryptographical strength of the proposed stream cipher, 
and in Sections 5 we will give the conclusions. 

2 Basic definitions 

In our description of cryptographic algorithms we will use the usual notification 
that the correspondents in the communication are Alice and Bob. 

2.1 Basic ElGamal encryption algorithm 

The ElGamal encryption algorithm uses a big prime number p, and uses the 
operations of modular exponentiation and modular multiplication. There are 
three phases of the algorithm: Key generation. Encryption and Decryption. The 
algorithm is the following: 

Key generation Alice generates her public and private keys as follows: 

1. Generate a large random prime number p and a generator a of the mul- 
tiplicative group 7Z*p of the integers {1,2,. 1}. 

2. Select a random integer a, l<a<p — 2 and compute a'^modp. 

3. Alice's public key is the triplet (p, a, q°-)\ Alice's private key is a. 
Encryption Bob encrypts a message m for Alice by doing the following: 

1. Obtain Alice's authentic public key (p, a,Q;°). 

2. Represent the message as an integer m in the range {0,l,...,p— 1}. 

3. Select a random integer e, l<e<p — 2. 

4. Compute 7 = a'^modp and 5 — m ■ (a'^ymodp. 

5. Send the ciphertext c — (7, 5). 
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Decryption To recover the message m Alice should do the following: 

1. Use the private key a to compute a"""^ = 7"° 

2. Recover m by computing m — S ■ a~°"^modp 

It is obvious that message expansion in ElGamal algorithm is by factor 2, 
because Bob sends the cipher text c = (7, (5) that has twice the length of the 
message m. That fact is considered as a serious disadvantage of the algorithm. 
Simple analysis of the algorithms show that in a phase of encryption it uses 
two modular exponentiations and one modular multiplication, while in phase 
od Decryption it uses one modular exponentiation, one calculation of an inverse 
element in multiplicative group (calculation of the element 7~^modp) and 
one modular multiplication. For the security analysis, and security issues about 
used prime numbers in ElGamal algorithm the reader can see (2] ■ 

2.2 Definition of basic quasigroup string transformations 

In this subsection we will give some definitions from the theory of quasigroups 
and define a basic quasigroup string transformations. We say "basic" string 
transformations, because in |17j much more complex quasigroup string transfor- 
mations are defined, but we will not use them in our definition of the stream 
cipher. 

Definition 1. Let Q = {ai, 02, . . . , a„} be a finite set of n elements. A quasi- 
group (Q, *) is a groupoid satisfying the law 

(Vu, V e Q){3lx, y ^ Q) u*x = viky*u = v. (1) 

Given a quasigroup (Q, *) a new operation on the set Q can be derived 

by: 

* ^{x,y) — z ^:=^ X * z = y (2) 
It easy to prove the following 
Lemma 1. The groupoid (Q,*^^) is a quasigroup. □ 

Instead of the symbol =1=^^ we will use the symbol \ and we will say that 
the quasigroup (Q, \) is the left parastrophe (or conjugate in some literature) 
adjoint to the quasigroup (Q, *). 

Then from the definition of \ it follows that 

X * y — z <=^ y — x\z . (3) 

and 

x\{x *y) ^ y, X * {x\y) ^ y. (4) 

In what follow we will give basic definitions for quasigroup string transfor- 
mations and address several theorems and properties which are proved in [T7) . 

Consider an alphabet (i.e. a finite set) Q, and denote by the set of all 
nonempty words (i.e. finite strings) formed by the elements of Q. The elements 
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of will be rather denoted by 0102 . . . On than (ai, a2, . . . , a„), where G Q. 
Let * be a quasigroup operation on the set Q, i.e. consider a quasigroup (Q, *). 
For each a G Q we define two functions Ca, rfa : — > as follows. 
Let ai € Q, a = 0102 . . . a„. Then 

ea{a) = 6162 • • • fei = a * fli, &2 = &1 * ^2, ■ ■ • , &n = K-l * On 

i.e. = bi * fli+i for each i = 0, 1, . . . , n — 1, where 60 = a, 
and 

da{a) = C1C2 . . . c„ ^==^ ci = a * ai, C2 = ai * 02, . . . , c„ = a„_i * a„ 
i.e. Ci+i = * fli+i for each i = 0, 1, . . . , n — 1, where oq = a. 





A-, 









an 




hi 








bn 



Fig. 1. Graphical representation of Ca function 



bi 
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~a,n-i' 



bn-1 



bn 



Fig. 2. Graphical representation of da function 



Definition 2. T/ie functions Ca, da are called e- and d- string transformation 
of based on the operation * with leader a. 

Note that ea ° da — da o ea = la i-e. Ca and da are mutually inverse string 
transformations. A graphical representation of and da is shown on Fig.^and 
Fig. 121 Next we will extend the definition of e- and d- string transformations 
with the following 

Definition 3. // we choose k leaders ai, 02, . . . , Ok ^ Q (not necessarily dis- 
tinct), then the compositions of mappings 



Ek = E, 



ai...ak '-ai ^ '--02 



e„,, ° Ca, o ■ ■ ■ o e„ 



and 



Dh = Da, _ n„ = dn, o d„, O ■ ■ ■ o d„ 



are called E- and D- quasigroup string transformations of respectively. 
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In jl7| the following two lemmas are proved: 

Lemma 2. The functions Ek and are permutations on . □ 

Lemma 3. In a quasigroup (Q, *), with a given set of k leaders {ai, 02, . . . , a^} 
the inverse of Ek = Eai...ak = 6^ o • - -oea^, is E'^^ = Da^... ai ^ da^°---° da^. 

Now it is clear that for any quasigroup string transformation E the pair of 
functions {E, E~^) can be considered as a pair of an encryption and decryption 
function for the strings on an alphabet Q. More formally we give the following 
definition of a quasigroup stream cipher: 

Definition 4. For a given quasigroup {Q, *), and a given k-tuple (ai, a2, . . . , a^), 
of leaders Oi G Q, the system {{Q, *), {01,02, ■■ ■ , a^), i?ai...afc, -Dafc...ai) defines a 
quasigroup stream cipher on the strings in . 



2.3 Definition of a quasigroup of big order p — 1 

The construction of a Latin squares is discussed in and ^3]. How- 

ever, the construction of such Latin squares is not suitable for our purposes 
in this paper, because we want to define a quasigroup of order p — 1 where p 
is big prime number with more then 1024 bits. That problem can be solved 
by the approach that is described in \2'6\ . Namely, if we have a permutation 

f 1 2 ■ ■ ■ j ■ ■ ■ p " l\ 

P—\ , where (ail, ai2, fli,, ai„_i) is the first 

\aii ai2 ■■■ aij ■ ■ ■ aip_i J ^ 

row of the quasigroup that we want to define, then by defining i*j — iy. aij modp 

we will define a quasigroup (Q, *) of order p — 1. 

We will define a permutation of the elements in by the following lemma: 



Lemma 4. For a given prime number p, and a given number K,l < K <p~2, 
the function fxij) — i+(^K+j)moA (p-i) '^°^P ^ permutation of the elements in 
2Zl. ' " □ 

Now, we can prove the following 

Lemma 5. The multiplication operation * defined in the set Q = {1, 2, . . . ,p— 1} 
as: 

i if j — i y, fxii) modp (5) 
defines a quasigroup [Q,*)- □ 

From the last Lemma, we have the following 
Corollary 1. If we define the following function 

g{i,j, K) = {{i X mod p) - I - K) mod (p - 1) (6) 
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that takes the arguments i,j and K from the set {1, 2, . . . ,p — 1}, i.e. maps the 
set {1, 2, . . . 1}^ into the set {0, 1,2,... ,p— 2} then the left parastrophe (Q, \) 
of a quasigroup (Q, *) defined by ^ is defined as: 

(gii,j,K),If gii,j,K)^0 
'\^-\ If g{z,j,K)^0 

□ 

To be consistent with the notation of fK{j), we wih use the notation gKihj) 
instead the notation g{i,j,K). Additional reason for doing that will be offered 
in the next section, where once the value of K is chosen, it will remain fixed for 
different values of i and j . 



3 A quasigroup stream cipher in ^* 

In this section we will define a quasigroup stream cipher that combines algo- 
rithms described in previous section. The algorithm is as follows: 

A quasigroup stream cipher 

Key generation. Alice generates her public and private keys as follows: 

1. Generate a large random prime number p and a generator a of the mul- 
tiplicative group of the integers {1, 2, ... ,p — 1}. 

2. Select a random integer a, I < a < p — 2 and compute a" modp 

3. Alice's public key is the triplet {p, a, a"); Alice's private key is a. 
Session key generation. Bob wants to establish secure stream channel with 

Alice by doing the following: 

1. Obtain Alice's authentic public key {p,a,a"'). 

2. Select a random integer K,l < K < p — 1 by which a quasigroup {Q, *) 
will be defined for the elements {l,2,...,p — 1} with equation Q. 

3. Encrypt K by ElGamal algorithm, obtaining C — {F, A). 

4. Select fc > 3 random integers a^, ? = 1, 2, . . . , fc, 1 < a.; < p — 2 to 
be leaders for quasigroup stream cipher and encrypt them by ElGamal 
algorithm, obtaining Ct = {Fi, Ai), i = 1, 2, . . . , fc. 

5. Send Q. 

Establishment of a secure stream cipher. Alice will establish secure stream 
channel with Bob by doing the following: 

1. Decrypt C by ElGamal decryption procedure, obtaining K by which a 
left parastrophe {Q, \) will be defined with equation (0). 

2. Decrypt Ci by ElGamal decryption procedure, obtaining the integers 
ai, i — 1,2, . . . , k, l<ai<p— Itobe leaders for quasigroup stream 
cipher. 

Stream Encryption. Bob encrypts mesages from the message stream toi, TO2, . . . 
by doing the following: 
1. Represent every message part as an integer in the range 
{0,l,...,p-l}. 
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2. Iteratively compute mj^-' ~ ai * m^^ ^\ where m^°^ = m^, i = 1, . . . , fc 
and * is quasigroup operation defined by J^)). 

3. Set — m^'^'' and update the values of the leaders by at — m\]l\ i = 

1, . . . , fc - 1 and flfe = 1 + (XlLi "^^^*^) mod (p - 1). 

4. Send the ciphertext c^;. 

Stream Decryption. To decrypt the part of the cipher text stream ci, C2, . . . 
Alice should do the following: 

1. Obtain cipher text part c^. 

2. Iteratively compute c^'^'' = ak \ c^, c|i''' = Oi \ cl!l~^^\ j = fc — 1, . . . , 1 and 
\ is quasigroup operation defined by Q. 

3. Recover = c^^^ and update the values of the leaders by = cj^~^^\ 
i = fc - 1, . . . , 1 and = 1 + (c^ + X]iL2 ^'i^^) ~ 

Example 1. In the following example, we will use relatively small value of the 
prime number p, in order to show the work of the algorithm. 

Key generation. Alice generates her public and private keys as follows: 

1. p = 2^^ + 1 = 65537 and a generator a = 13 of the multiplicative group 

of the integers {1,2,..., 65536}. 

2. She then select a random integer a = 10307 and compute a" modp = 
13i°3°^ mod65537= 29656 

3. Ahce's public key is the triplet (p, a, a") — (65537,13,29656); Ahce's 
private key is a = 10307. 

Session key generation. Bob wants to establish secure stream channel with 
Alice by doing the following: 

1. Obtain Ahce's authentic pubhc key {p, a, a") — (65537, 13, 29656). 

2. Select a random integer K = 35469 by which a quasigroup (Q, *) will be 
defined for the elements {1, 2, . . . , 65536} with equation 

l+(35469+j) mod 65536 

3. Encrypt K by ElGamal algorithm, obtaining C {r, A) = (1845, 57308) 
(by using the random exponent to be e = 53882). 

4. Select fc = 3 random integers (01,02,03) = (41866,44005,27025) to be 
initial leaders for quasigroup stream cipher and encrypt them by El- 
Gamal algorithm, obtaining Ci = (A,^i) = (13023,32389), C2 = 
(r2,Z\2) = (39691,7691) and C3 = (1^3,^3) = (14791,21654) (by us- 
ing random exponents to be 19495, 7737 and 4256). 

5. Send Ci, C2 and C3. 

Establishment of a secure stream cipher. Alice will establish secure stream 
channel with Bob by doing the following: 

1. Decrypt C = (r, Z\) = (1845,57308) by ElGamal decryption procedure, 
obtaining K — 35469 by which a left parastrophe (Q, \) will be defined 
with equation ((JJ i.e. i\j — {(i x mod p) — 1 — K) mod {p — 1). 

2. Decrypt Ci = {Ei^Ai) = (13023,32389), C2 = (^2,^2) = (39691,7691) 
and C3 = (r3,Z\3) = (14791,21654) by ElGamal decryption procedure, 
obtaining the integers (01,02,03) = (41866,44005,27025) to be initial 
leaders for quasigroup stream cipher. 
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Stream Encryption. Bob encrypts messages from the message stream 
mi, 777-2, • • • by doing the following: 

1. Suppose that Bob wants to send the following three successive messages 
(wi, m2, ma, . . .) = (64816, 47513, 52916, . . .)• 

2. He iteratively compute m^^^ = ai * mi = 41866 * 64816 = 6851, m^^^ = 
aa * m^^^ = 44005 * 6851 = 44908, mf' = as * rrif^ = 27025 * 44908 = 
19753. 

3. Set ci — m\ = 19753 and update the values of the leaders by (ai, a2, a^) = 
(m^^\mf\l + (mj^^ +mf^ +mf^) mod (p- 1)) = (6851,44908,5977). 

4. Send the ciphertext Ci = 19753. 

5. He then repeats the steps 2.-4. for m2 = 47513 and so on. 

Stream Decryption. To decrypt the part of the cipher text stream ci, C2, . . . 

Alice should do the following: 

1. Obtain cipher text part ci = 19753. 

2. Iteratively compute cf^ = as \ ci = 27025 \ 19753 = 44908, cf ' = 
02 \ cf^ = 44005 \ 44908 = 6851, cj^^ = ai\ cf ^ = 41866 \ 6851 = 64816. 

3. Recover mi = c^l^ = 64816 and update the values of the leaders by 02 = 
cf^ = 44908, ai = c^' = 6851 and 03 = l + (ci+cp^+cf^) mod (p-1) = 
1 + (19753 + 44908 + 6851) mod (p - 1) = 5977. 

4. She then repeats the steps 2. and 3. for C2 and so on. 

4 Cryptographical strength of the quasigroup stream 
cipher in 

The proposed algorithm has two parts. The first part is the part that is ElGamal 
algorithm, and the cryptographical strength of that part is based on the strength 
of ElGamal algorithm i.e. on cryptographical strength of DifEe-Helman algorithm 
which further relies its security on intractability of Discrete Logarithm Problem. 

The second part is the part where fast stream cipher transformations are 
performed using k leaders that are unknown for an adversary. In what follows 
we will examine the cryptographical strength of the stream cipher depending on 
the number of leaders k. We will assume that the quasigroup stream cipher is 
broken if the adversary find some of the symetric parts of the stream i.e. if he 
find somehow the number K which defines the permutation in .S* or any of the 
initial leaders ai, 02, • • • , <ife- 

4.1 The case fc = 1 

Let k = 1, and let suppose that the adversary have one pair of known plaintext 
and ciphertext (M, C) = (mi, m2, ma, . . . , Ci, C2, C3, . . .). By having that infor- 
mation he will try to obtain some knowledge about the value K which defines 
the quasigroup {Q, *) and about the initial leader ai. From the definition of the 
algorithm it follows that ci = ai * mi and C2 = ci * m2, i.e. 



10 Gligoroski 



= l + (E:+mi)mod(p^l) '°°dP 
C2 = l + (E:+m2)mod(p~l) '°°dP 

where ai and -fC are not known. The last system can be reduced to a quadratic 
polynomial equation with one unknown K in the field Zp. Such type of univari- 
ate quadratic polynomial equations can be easily solved for any prime number p 
f |24| p. 37). So, if the number of used leaders is fc = 1 the stream cipher is easily 
breakable. 



4.2 The case k — 2 

For the case when fc > 2 we will make an analysis of the strength of the al- 
gorithm by assuming that adversary can apply the chosen plaintext attack, i.e. 
we will assume that the adversary knows what is the outcome from encryp- 
tion of the plaintext stream where all messages = p — 2, i = 1, 2, . . . i.e. he 
knows the following pair of plaintext and ciphertext: (M, C) = {p — 2,p — 2,p — 
2,p — 2, . . . , Cl, C2, C3, C4 . . .). With that special case, the equations for quasigroup 
transformations are simplified since for any c G ^*p, 

c c 

c*{p-2) =cx fiiip - 2) modp = — -r modp = — modp 

1 + (A + p — 2) mod (p — 1) A 

We will make an additional assumption, in order to simplify the equations 
that have to be solved. Namely, instead of complicated usage of modulo p and 
modulo p — 1 in the obtained equations, we will only use operations modulo p. 
Although the solutions for those equations are not necessary solutions for the 
real equations involving modulo p and modulo p — 1, we will show that even 
those simplified equations are hard to solve if the number of used leaders fc is 
sufficiently large. 

So, by mentioned simplifications and assumptions, for k = 2 the adversary 
will obtain the following system of equations in 

0.2 



The last system can be reduced to the following univariate polynomial equa- 
tion of degree 3 in !Sp with unknown variable K: 

C3 + (-2 C2 + C3 - C2 C3) K'^ + (ci - C2 + C2^) a: + C2 C3 - Cl C3 = 

For those type of polynomials there are efficient (running in polynomial time) 
randomized algorithms for solving them in ZZ*p (see for example p. 37, p.l23- 
p.l32). 
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So, we could say that the case with two leaders i.e. when k = 2 when the 
equations are simplified and we only work modulo p, can be successfully attacked 

by the chosen plaintext attack. 

Wc are not aware if there are some known randomized or deterministic algo- 
rithms for solving equations that involve both modulo p and modulo p—1 which 
is much complicated and harder to solve case, but taking conservative approach, 
we will consider that the case = 2 is not safe. 



4.3 The case fe = 3 



For the case when fc = 3, and by supposing that a possible adversary have one 
pair of known chosen plaintext and ciphcrtcxt (M, C) = (p — 2,p— 2,p — 2,p — 
2, . . . , ci, C2, C3, C4 . . .), he can obtain the following system of simplified equations: 



1+K+- 



C2 = 



1+K+ 



"2 



C2 + -^ + 



C3 



C4 



1+K+ 



!I2 



03 + ^ + -. 



(1+^+"^ 



If we introduce two new variables Ai = ^ and A2 = we can reduce 

the above system to the system of two bivariate polynomial equations: 

Pi(X,Ai) = 

P2(if,Ai) =0 

where in the first polynomial Pi, the degree of K is 7, and the degree of Ai is 
3, and in the second polynomial P2, the degree of K is 12 and the degree of Ai 
is 5. 

It is clear that if we continue several more steps, with a usage of several 
more leaders, the complexity of the system to be solved would increase even 
more. Although the obtained equations have specific structure we can ask the 
following question: Arc there any fast (in polynomial time, deterministic or ran- 
domized) algorithms for solving systems of multivariate polynomials modulo big 
prime number p. We can try to find the answer in the results of modern Number 
Theory. Namely, two areas of research are connected with posted question: 1. 
Factorization of multivariate polynomials modulo prime number and 2. Solving 
systems of multivariate polynomials modulo prime number. Although in the last 
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decades we see dramatic breakthrough in factorization of muhivariate polyno- 
mials modulo prime numbers (see for example |2S1, ESI, 123, EHI and [211), and 
in some cases the results of that breakthrough increase our knowledge how to 
solve systems of multivariate polynomials modulo prime number, it was shown 
that finding the roots of systems of multivariate polynomials modulo big prime 
number p is equivalent to solving an NP-hard problem (see [21] and 

From above discussion, we can say that we have strong evidence that breaking 
the proposed stream cipher would be as hard as solving in polynomial time some 
NP-hard problem. 

5 Conclusions and further directions 

In these conclusions, we would like to say something about the speed of the 
proposed stream cipher. For every block and c^j both in encryption and de- 
cryption phase k modular multiplications and k modular calculations of inverse 
element are needed, but doesn't need operations of modular exponentiation. If 
we have in mind that modular multiplication and modular division operations 
modulo p can be implemented in 0(log2 p), that means that total number of op- 
erations have complexity of 0{k\og2p)- In other words, calculated as operations 
per byte, the proposed stream cipher is much faster then cryptographic algo- 
rithms that work over Z*, and can approach the speed of fast symmetric- key 
stream ciphers. However, the benefits for using the proposed stream cipher are 
that its cryptographic strength is equivalent as solving in polynomial time (with 
deterministic or with randomized algorithm) NP-hard problems. 

From other point of view, the proposed stream cipher tries to bridge the gap 
between fast symmetric-key algorithms and slow public-key algorithms, using 
the flexibility of key-exchange possibilities of the public-key algorithms, and the 
speed of symmetric-key algorithms. The mathematical structure of the domain 
of encoded messages is the same in both parts, i.e. the transformations are done 
in the set of Z:* = Zp\ {0} = {1, 2, - 1}. 

In practical implementation, in order to avoid the common disadvantage 
of all public-key algorithms that is the expansion of the original message first 
in the process of transformation of a message m into an integer from the set 
{l,2,...,p — 1} and then in the process of encryption, we should implement 
the proposed algorithm with a prime number p which has the form of a Fermat 
prime number Fn — 2^ + 1. However, for n = 3, and n — A the prime numbers 
F3 = 257 and F4 = 65537 are too small for cryptographic purposes, and there 
are no prime Fermat numbers for n > 4. To overcome that disadvantage we 
propose the use of a prime numbers of the form pi = 2^' -I- 3. For example pgg, 
P213, and P251 are prime numbers with 784, 1704 and 2008 bits respectfully. For 
example let suppose that we use a prime number P251 with 2008 bits. Then, in 
the process of message transformation, we could simply treat every consecutive 
2008 bits i.e. 251 bytes as an input message and to add one extra byte that will 
be in fact the total message expansion. 
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